behind enemy lines - practical & triage approaches to mobile security abroad
TRANSCRIPT
Behind Enemy LinesPractical & Triage Approaches to Mobile Security Abroad
Presentation Objectives‣ Highlight the threats posed by
traveling abroad with mobile devices
‣ Discuss lessons learned from real world experiences
‣ Provide practical recommendations for reducing these threats
‣ Do it all in 40 mins or less
About me‣ Justin Morehouse (@mascasa)
‣ Principal Consultant, Stratum Security
‣ CTO of ThreatSim
‣ Security Operations and Consulting
‣ Co-author ‘Securing the Smart Grid’
‣ OWASP Tampa Chapter Founder & Leader
‣ Presented at DEF CON, ShmooCon, OWASP, and more...
‣ Since 2008 I’ve used and subsequently voided the warranties of the following:
‣ BlackBerry Bold 9700 & 8820
‣ HTC Nexus One (Android 2.3)
‣ iPhone, 3G, 3GS, 4, 4s (All iOS versions)
‣ Motorola Droid (Android 2.1, 2.2, 2.3)
‣ Samsung Galaxy S (Android 2.1)
‣ T-Mobile (HTC) Dash (Windows Mobile 6.5)
My addiction to smartphones
Stratum Security
Why mobile security?
Stratum Security
Because mobile devices are everywhere...
Stratum Security
Smartphones outsold PCs in Q4 of 2010
1,000,000,000+ smartphone users by 2013
...and do amazing(ly stupid) things
and everyone uses them...
most recently...
Stratum Security
Why international mobile security?
Video Conferencing
My TripIt profile page
Is mobile security a real issue?
Example #1
Example #2
Wikileaks Spy Files
How you are targeted by threat agents
...phishing
evil maid attack
...and drive-by downloads
Not all threats are created equal...
Advanced Threats
MinimalThreats
Moderate Threats
Practical mitigation steps
Have a plan...
Make yourself anonymous
(as possible)
Leverage existing technologies...
Case Study
Client Overview
‣ Well-known international retail organization
‣ Executives traveling to hostile countries with moderate threats
‣ Loss of IP would be harmful to organization if obtained by competition
Proposed Solution
‣ Utilize factory unlocked iPhone 4 ‘burner’ phones
‣ Preconfigure with VPN, encryption, PIN, remote wipe, via MDM
‣ Purchase local SIM (with cash) upon arrival
‣ Perform forensics on phone upon return
Solution Issues
‣ Executives often forgot to enable VPN before using data services
‣ Local SIM purchase required detailed information (passport)
‣ Executives used public wireless networks on several occasions
Lessons Learned‣ Utilize configuration utilities to enforce policies
on devices (WiFi, VPN, etc.)
‣ Purchase local SIM cards in advance using anonymous(ish) means (BitCoin)
‣ Disable local syncing in favor of web-based solutions
‣ Require two-factor authentication for all web-based solutions
‣ Tunnel your tunnels (VPN & SSL)
Effective mobile security triage
Keep it simple...
Plan for the Worst
‣ Knowledge is key (DO’s and DON’Ts cheat-sheet)
‣ Rule of 32 (w/ Vodafone UK SIM)
‣ Remote deployment solutions (Wipe & rebuild required)
‣ Overnight INTL shipping